- Vulnerable U
- Posts
- Notorious Spam Host "Prospero" Now Routing Through Kaspersky Lab Networks
Notorious Spam Host "Prospero" Now Routing Through Kaspersky Lab Networks
Prospero OOO, a major bulletproof hosting provider linked to malware and phishing operations, has started routing through Kaspersky Lab’s network. This shift raises concerns over cybersecurity risks and Kaspersky’s role.
Newsroom
March 06, 2025
A major shift in the cybercrime infrastructure landscape has been detected: Prospero OOO, a Russia-based bulletproof hosting provider long associated with phishing sites, botnet controllers, and malware operations, has begun routing its operations through networks operated by Kaspersky Lab, according to findings from KrebsOnSecurity and security researchers at Spamhaus and Kentik.
Who Is Prospero?
Prospero OOO (ООО in Russian, equivalent to "LLC") is known for providing "bulletproof" hosting services—offering cybercriminals infrastructure that ignores abuse complaints and takedown requests. French security firm Intrinsec recently detailed how Prospero has provided infrastructure for multiple ransomware gangs and well-known malware campaigns, including SocGholish and GootLoader.
These malware families, often distributed through fake browser updates on compromised websites, serve as initial footholds for more severe intrusions—such as ransomware attacks against enterprises.
A Direct Connection to Kaspersky’s Network
Doug Madory, director of Internet analysis at Kentik, confirmed that Prospero began routing its traffic through Kaspersky’s network in early December 2024. Security researchers noted that Kaspersky’s AS209030 is now providing transit to Prospero’s AS200593, a move that raises concerns about whether Kaspersky is knowingly facilitating Prospero’s operations.
Notably, Kaspersky’s network also hosts multiple financial institutions, including Russia’s largest bank, Alfa-Bank. While Kaspersky is known for offering DDoS protection services, it remains unclear whether the company is actively providing services to Prospero or if the connection is an indirect routing arrangement.
“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” said Zach Edwards, a senior threat researcher at Silent Push.
Kaspersky’s Response
In a written statement issued on March 1, 2025, Kaspersky denied working with Prospero, stating:
“Kaspersky denies these claims as the company does not work and has never worked with the service provider in question. The routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services.”
Kaspersky added that it is investigating the situation and intends to notify the necessary parties if any action is required.
A History of Cybercrime Associations
Prospero’s reputation as a haven for cybercriminals is well established. Security firms have linked it to bulletproof hosting services like BEARHOST and Securehost, which openly advertise their willingness to host malware, botnets, phishing sites, and spam operations.
“If you need a server for a botnet, for malware, brute, scan, phishing, fakes, and any other tasks, please contact us,” read one advertisement from BEARHOST on Russian cybercrime forums. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”
Prospero’s Rising Infamy in Cybercrime
A 2024 report by the Interisle Consulting Group ranked Prospero as the single worst offender in terms of spam and malicious hosting, outperforming all other hosting providers in sheer volume of malicious activity.
This move to Kaspersky’s network raises concerns over whether the routing arrangement was intentional, accidental, or merely a transit path created through third-party network providers.
The Kaspersky Controversy & U.S. Government Bans
Kaspersky, once a respected cybersecurity firm, has been increasingly scrutinized by Western governments over concerns about its ties to the Russian government.
In 2017, the U.S. Department of Homeland Security (DHS) banned all federal agencies from using Kaspersky software, citing security concerns.
In July 2024, the U.S. Commerce Department banned Kaspersky from selling its software in the United States, citing risks related to Russian government influence over domestic companies.
According to cybersecurity journalist Kim Zetter, U.S. officials banned Kaspersky due to concerns that Russian intelligence could compel the company to conduct espionage or assist in cyber operations.
Kaspersky has denied any such involvement, claiming that its software and infrastructure are not used for espionage and that the company follows strict ethical guidelines.
Why This Matters
If Prospero is actively using Kaspersky’s network for bulletproof hosting, it could undermine trust in Kaspersky’s security infrastructure and raise further questions about whether Russian authorities are turning a blind eye—or worse, providing protection—to known cybercriminal groups.
While it remains unclear whether Kaspersky is directly involved or simply a transit provider, this revelation adds to growing concerns over the intersection between Russian cybersecurity firms and cybercrime networks.
What Happens Next?
The cybersecurity community, law enforcement agencies, and network operators will likely monitor this situation closely to determine:
Whether Kaspersky will take action to sever Prospero’s connection to its network
If Prospero’s operations shift again in response to this exposure
Whether additional security firms and governments will pressure Kaspersky over this development
Regardless of intent, the fact that one of the world’s most notorious bulletproof hosts is now leveraging Kaspersky’s infrastructure is a troubling sign for the global cybersecurity landscape.